Is it possible to run a process in chroot with virtual /proc filesystem under Linux?











up vote
1
down vote

favorite












I need to run a process in a chroot with a virtual /proc filesystem, so the process is unable to get access to other processes running on the same host. The process must be run under root and have full access to files in chroot. Also any changes to the filesystem must be preserved in the chrooted directory.



Is it even possible?






linux linux-kernel chroot proc







share|improve this question




















  • 1




    Any particular reason for trying to achieve such behavior?
    – ddnomad
    Mar 21 '17 at 1:31










  • a VM or LXC container will give you a real-looking /proc without actually being the host's /proc.
    – quixotic
    Mar 21 '17 at 4:09















up vote
1
down vote

favorite












I need to run a process in a chroot with a virtual /proc filesystem, so the process is unable to get access to other processes running on the same host. The process must be run under root and have full access to files in chroot. Also any changes to the filesystem must be preserved in the chrooted directory.



Is it even possible?






linux linux-kernel chroot proc







share|improve this question




















  • 1




    Any particular reason for trying to achieve such behavior?
    – ddnomad
    Mar 21 '17 at 1:31










  • a VM or LXC container will give you a real-looking /proc without actually being the host's /proc.
    – quixotic
    Mar 21 '17 at 4:09













up vote
1
down vote

favorite









up vote
1
down vote

favorite











I need to run a process in a chroot with a virtual /proc filesystem, so the process is unable to get access to other processes running on the same host. The process must be run under root and have full access to files in chroot. Also any changes to the filesystem must be preserved in the chrooted directory.



Is it even possible?






linux linux-kernel chroot proc







share|improve this question















I need to run a process in a chroot with a virtual /proc filesystem, so the process is unable to get access to other processes running on the same host. The process must be run under root and have full access to files in chroot. Also any changes to the filesystem must be preserved in the chrooted directory.



Is it even possible?






linux linux-kernel chroot proc




linux linux-kernel chroot proc






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 21 '17 at 2:09









user unknown

1,4441123




1,4441123










asked Mar 21 '17 at 0:30









user4674453

61




61








  • 1




    Any particular reason for trying to achieve such behavior?
    – ddnomad
    Mar 21 '17 at 1:31










  • a VM or LXC container will give you a real-looking /proc without actually being the host's /proc.
    – quixotic
    Mar 21 '17 at 4:09














  • 1




    Any particular reason for trying to achieve such behavior?
    – ddnomad
    Mar 21 '17 at 1:31










  • a VM or LXC container will give you a real-looking /proc without actually being the host's /proc.
    – quixotic
    Mar 21 '17 at 4:09








1




1




Any particular reason for trying to achieve such behavior?
– ddnomad
Mar 21 '17 at 1:31




Any particular reason for trying to achieve such behavior?
– ddnomad
Mar 21 '17 at 1:31












a VM or LXC container will give you a real-looking /proc without actually being the host's /proc.
– quixotic
Mar 21 '17 at 4:09




a VM or LXC container will give you a real-looking /proc without actually being the host's /proc.
– quixotic
Mar 21 '17 at 4:09










2 Answers
2






active

oldest

votes

















up vote
0
down vote













It is possible to mount /proc in a chroot environment - see this answer for more on that.



I would have concerns that the program would not be able to get access to other processes as much (if not all) of this information can be accessed through /proc (/proc/[pid number] will give you access to this ).



Its unclear what you mean by "changes to the filesystem", but if these changes are to the filesystem excluding special bits like /proc, /dev/ etc, these will stay in the chroot.






share|improve this answer





















  • mounting the real /proc in the chroot is pretty much exactly what the question is trying to avoid.
    – quixotic
    Mar 21 '17 at 4:00










  • @quixotic - if thats the case, the answer is "no" - unless a lot more information given as to what specific parts of /proc are needed. Rereading the question, I wonder if the understanding of filesystems is correct - as in does "changes to the filesystem must be preserved" imply access to files outside the scope of the directories under the chroot jail.
    – davidgo
    Mar 21 '17 at 4:06










  • agree that doesn't entirely make sense -- it could be assuming a read-only base for the chroot, like docker or snapshot-able VM images or running the chroot in a loop-mounted ISO image or ...
    – quixotic
    Mar 21 '17 at 4:14










  • > Its unclear what you mean by "changes to the filesystem" That was to avoid docker fans to flood the topic :) What I really need is to be able to install any package, which pulls a lot of dependencies in that way it won't pollute the system, and be usable in the shell like it is installed in /usr/bin. So I would like it to use main root, but all the changes it produces, including dependencies, logs, etc. to be stored in separate directory. I want it to know nothing about root system, and the processes it's running, as it won't work smoothly.
    – user4674453
    Mar 21 '17 at 22:36




















up vote
0
down vote













You can accomplish this using Linux namespaces. Containers (Docker, lxc) are made out of those. man unshare is Your friend.
Beware that attacker can easily escape chroot if You use it improperly. Read up on this before using it. You have been warned.






share|improve this answer





















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














     

    draft saved


    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1190640%2fis-it-possible-to-run-a-process-in-chroot-with-virtual-proc-filesystem-under-li%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote













    It is possible to mount /proc in a chroot environment - see this answer for more on that.



    I would have concerns that the program would not be able to get access to other processes as much (if not all) of this information can be accessed through /proc (/proc/[pid number] will give you access to this ).



    Its unclear what you mean by "changes to the filesystem", but if these changes are to the filesystem excluding special bits like /proc, /dev/ etc, these will stay in the chroot.






    share|improve this answer





















    • mounting the real /proc in the chroot is pretty much exactly what the question is trying to avoid.
      – quixotic
      Mar 21 '17 at 4:00










    • @quixotic - if thats the case, the answer is "no" - unless a lot more information given as to what specific parts of /proc are needed. Rereading the question, I wonder if the understanding of filesystems is correct - as in does "changes to the filesystem must be preserved" imply access to files outside the scope of the directories under the chroot jail.
      – davidgo
      Mar 21 '17 at 4:06










    • agree that doesn't entirely make sense -- it could be assuming a read-only base for the chroot, like docker or snapshot-able VM images or running the chroot in a loop-mounted ISO image or ...
      – quixotic
      Mar 21 '17 at 4:14










    • > Its unclear what you mean by "changes to the filesystem" That was to avoid docker fans to flood the topic :) What I really need is to be able to install any package, which pulls a lot of dependencies in that way it won't pollute the system, and be usable in the shell like it is installed in /usr/bin. So I would like it to use main root, but all the changes it produces, including dependencies, logs, etc. to be stored in separate directory. I want it to know nothing about root system, and the processes it's running, as it won't work smoothly.
      – user4674453
      Mar 21 '17 at 22:36

















    up vote
    0
    down vote













    It is possible to mount /proc in a chroot environment - see this answer for more on that.



    I would have concerns that the program would not be able to get access to other processes as much (if not all) of this information can be accessed through /proc (/proc/[pid number] will give you access to this ).



    Its unclear what you mean by "changes to the filesystem", but if these changes are to the filesystem excluding special bits like /proc, /dev/ etc, these will stay in the chroot.






    share|improve this answer





















    • mounting the real /proc in the chroot is pretty much exactly what the question is trying to avoid.
      – quixotic
      Mar 21 '17 at 4:00










    • @quixotic - if thats the case, the answer is "no" - unless a lot more information given as to what specific parts of /proc are needed. Rereading the question, I wonder if the understanding of filesystems is correct - as in does "changes to the filesystem must be preserved" imply access to files outside the scope of the directories under the chroot jail.
      – davidgo
      Mar 21 '17 at 4:06










    • agree that doesn't entirely make sense -- it could be assuming a read-only base for the chroot, like docker or snapshot-able VM images or running the chroot in a loop-mounted ISO image or ...
      – quixotic
      Mar 21 '17 at 4:14










    • > Its unclear what you mean by "changes to the filesystem" That was to avoid docker fans to flood the topic :) What I really need is to be able to install any package, which pulls a lot of dependencies in that way it won't pollute the system, and be usable in the shell like it is installed in /usr/bin. So I would like it to use main root, but all the changes it produces, including dependencies, logs, etc. to be stored in separate directory. I want it to know nothing about root system, and the processes it's running, as it won't work smoothly.
      – user4674453
      Mar 21 '17 at 22:36















    up vote
    0
    down vote










    up vote
    0
    down vote









    It is possible to mount /proc in a chroot environment - see this answer for more on that.



    I would have concerns that the program would not be able to get access to other processes as much (if not all) of this information can be accessed through /proc (/proc/[pid number] will give you access to this ).



    Its unclear what you mean by "changes to the filesystem", but if these changes are to the filesystem excluding special bits like /proc, /dev/ etc, these will stay in the chroot.






    share|improve this answer












    It is possible to mount /proc in a chroot environment - see this answer for more on that.



    I would have concerns that the program would not be able to get access to other processes as much (if not all) of this information can be accessed through /proc (/proc/[pid number] will give you access to this ).



    Its unclear what you mean by "changes to the filesystem", but if these changes are to the filesystem excluding special bits like /proc, /dev/ etc, these will stay in the chroot.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Mar 21 '17 at 3:13









    davidgo

    41.4k74985




    41.4k74985












    • mounting the real /proc in the chroot is pretty much exactly what the question is trying to avoid.
      – quixotic
      Mar 21 '17 at 4:00










    • @quixotic - if thats the case, the answer is "no" - unless a lot more information given as to what specific parts of /proc are needed. Rereading the question, I wonder if the understanding of filesystems is correct - as in does "changes to the filesystem must be preserved" imply access to files outside the scope of the directories under the chroot jail.
      – davidgo
      Mar 21 '17 at 4:06










    • agree that doesn't entirely make sense -- it could be assuming a read-only base for the chroot, like docker or snapshot-able VM images or running the chroot in a loop-mounted ISO image or ...
      – quixotic
      Mar 21 '17 at 4:14










    • > Its unclear what you mean by "changes to the filesystem" That was to avoid docker fans to flood the topic :) What I really need is to be able to install any package, which pulls a lot of dependencies in that way it won't pollute the system, and be usable in the shell like it is installed in /usr/bin. So I would like it to use main root, but all the changes it produces, including dependencies, logs, etc. to be stored in separate directory. I want it to know nothing about root system, and the processes it's running, as it won't work smoothly.
      – user4674453
      Mar 21 '17 at 22:36




















    • mounting the real /proc in the chroot is pretty much exactly what the question is trying to avoid.
      – quixotic
      Mar 21 '17 at 4:00










    • @quixotic - if thats the case, the answer is "no" - unless a lot more information given as to what specific parts of /proc are needed. Rereading the question, I wonder if the understanding of filesystems is correct - as in does "changes to the filesystem must be preserved" imply access to files outside the scope of the directories under the chroot jail.
      – davidgo
      Mar 21 '17 at 4:06










    • agree that doesn't entirely make sense -- it could be assuming a read-only base for the chroot, like docker or snapshot-able VM images or running the chroot in a loop-mounted ISO image or ...
      – quixotic
      Mar 21 '17 at 4:14










    • > Its unclear what you mean by "changes to the filesystem" That was to avoid docker fans to flood the topic :) What I really need is to be able to install any package, which pulls a lot of dependencies in that way it won't pollute the system, and be usable in the shell like it is installed in /usr/bin. So I would like it to use main root, but all the changes it produces, including dependencies, logs, etc. to be stored in separate directory. I want it to know nothing about root system, and the processes it's running, as it won't work smoothly.
      – user4674453
      Mar 21 '17 at 22:36


















    mounting the real /proc in the chroot is pretty much exactly what the question is trying to avoid.
    – quixotic
    Mar 21 '17 at 4:00




    mounting the real /proc in the chroot is pretty much exactly what the question is trying to avoid.
    – quixotic
    Mar 21 '17 at 4:00












    @quixotic - if thats the case, the answer is "no" - unless a lot more information given as to what specific parts of /proc are needed. Rereading the question, I wonder if the understanding of filesystems is correct - as in does "changes to the filesystem must be preserved" imply access to files outside the scope of the directories under the chroot jail.
    – davidgo
    Mar 21 '17 at 4:06




    @quixotic - if thats the case, the answer is "no" - unless a lot more information given as to what specific parts of /proc are needed. Rereading the question, I wonder if the understanding of filesystems is correct - as in does "changes to the filesystem must be preserved" imply access to files outside the scope of the directories under the chroot jail.
    – davidgo
    Mar 21 '17 at 4:06












    agree that doesn't entirely make sense -- it could be assuming a read-only base for the chroot, like docker or snapshot-able VM images or running the chroot in a loop-mounted ISO image or ...
    – quixotic
    Mar 21 '17 at 4:14




    agree that doesn't entirely make sense -- it could be assuming a read-only base for the chroot, like docker or snapshot-able VM images or running the chroot in a loop-mounted ISO image or ...
    – quixotic
    Mar 21 '17 at 4:14












    > Its unclear what you mean by "changes to the filesystem" That was to avoid docker fans to flood the topic :) What I really need is to be able to install any package, which pulls a lot of dependencies in that way it won't pollute the system, and be usable in the shell like it is installed in /usr/bin. So I would like it to use main root, but all the changes it produces, including dependencies, logs, etc. to be stored in separate directory. I want it to know nothing about root system, and the processes it's running, as it won't work smoothly.
    – user4674453
    Mar 21 '17 at 22:36






    > Its unclear what you mean by "changes to the filesystem" That was to avoid docker fans to flood the topic :) What I really need is to be able to install any package, which pulls a lot of dependencies in that way it won't pollute the system, and be usable in the shell like it is installed in /usr/bin. So I would like it to use main root, but all the changes it produces, including dependencies, logs, etc. to be stored in separate directory. I want it to know nothing about root system, and the processes it's running, as it won't work smoothly.
    – user4674453
    Mar 21 '17 at 22:36














    up vote
    0
    down vote













    You can accomplish this using Linux namespaces. Containers (Docker, lxc) are made out of those. man unshare is Your friend.
    Beware that attacker can easily escape chroot if You use it improperly. Read up on this before using it. You have been warned.






    share|improve this answer

























      up vote
      0
      down vote













      You can accomplish this using Linux namespaces. Containers (Docker, lxc) are made out of those. man unshare is Your friend.
      Beware that attacker can easily escape chroot if You use it improperly. Read up on this before using it. You have been warned.






      share|improve this answer























        up vote
        0
        down vote










        up vote
        0
        down vote









        You can accomplish this using Linux namespaces. Containers (Docker, lxc) are made out of those. man unshare is Your friend.
        Beware that attacker can easily escape chroot if You use it improperly. Read up on this before using it. You have been warned.






        share|improve this answer












        You can accomplish this using Linux namespaces. Containers (Docker, lxc) are made out of those. man unshare is Your friend.
        Beware that attacker can easily escape chroot if You use it improperly. Read up on this before using it. You have been warned.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 19 at 20:51









        lynx

        12




        12






























             

            draft saved


            draft discarded



















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1190640%2fis-it-possible-to-run-a-process-in-chroot-with-virtual-proc-filesystem-under-li%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            How do I know what Microsoft account the skydrive app is syncing to?

            Image
            up vote 4 down vote favorite 1 Some time ago, I set up skydrive for my wife on her mac. But now she wants to access the files online, I cannot remember what Microsoft account I setup and linked her skydive app to and nor can I see anything in the skydrive app settings to tell me either? How can I see the name of the Microsoft account the skydive app is currently linked to? I would like to know this for skydrive app for Mac and PC onedrive share | improve this question asked Feb 25 '13 at 4:52 Gary Barrett 260 2 5 12
            Read more

            Grease: Live!

            Image
            A tradução deste artigo está abaixo da qualidade média aceitável. É possível que tenha sido feita por um tradutor automático ou por alguém que não conhece bem o português ou a língua original do texto. Caso queira colaborar com a Wikipédia, tente encontrar a página original e melhore este verbete conforme o guia de tradução. Grease: Live! Grease: Live!  (PRT/BRA)  Estados Unidos 2016 •   cor •   130 min. min   Direção Thomas Kail Alex Rudzinski Produção Marc Platt Adam Siegel Roteiro Allan Carr Robert Cary Warren Casey Jim Jacobs Jonathan Tolins Bronte Woodard Baseado em Grease (musical) Grease (filme) Elenco Julianne Hough Aaron Tveit Vanessa Hudgens Carlos Pena Jr. Keke Palmer Carly Rae Jepsen Kether Donohue Jordan Fisher David Del Rio Andrew Call Gênero Musical Música Tom Kitt Figurino William Ivey Long Companhia(s) produtora(s) Warner Bros. Studios Distribuição Fox Lançamento 31 de Janei
            Read more

            When does type information flow backwards in C++?

            Image
            up vote 62 down vote favorite 19 I just watched Stephan T. Lavavej talk at CppCon 2018 on "Class Template Argument Deduction", where at some point he incidentally says: In C++ type information almost never flows backwards ... I had to say "almost" because there's one or two cases, possibly more but very few . Despite trying to figure out which cases he might be referring to, I couldn't come up with anything. Hence the question: In which cases the C++17 standard mandates that type information propagate backwards? c++ language-lawyer c++17 share | improve this question edited 7 hours ago scohe0
            Read more